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Abstract. Brizolis asked the question: does every prime p have a pair 
(g, h) such that h is a fixed point for the discrete logarithm with base g? 
The first author previously extended this question to ask about not only 
fixed points but also two-cycles, and gave heuristics (building on work of 
Zhang, Cobeli, Zaharescu, Campbell, and Pomerance) for estimating the 
number of such pairs given certain conditions on g and h. In this paper 
we give a summary of conjectures and results which follow from these 
heuristics, building again on the aforementioned work. We also make 
some new conjectures and prove some average versions of the results. 



1 Introduction and Statement of the Basic Equations 

Paragraph F9 of 6 includes the following problem, attributed to Brizolis: given 
a prime p > 3, is there always a pair (g, h) such that g is a primitive root of p, 
1 < h < p — 1 , and 

g h = h mod p ? (1) 
In other words, is there always a primitive root g such that the discrete logarithm 
log fl has a fixed point? As we shall see, Zhang (|17p not only answered the question 
for sufficiently large p, but also estimated the number N(p) of pairs (g, h) which 
satisfy the equation, have g is primitive root, and also have h a primitive root which 
thus must be relatively prime to p — 1. This result seems to have been discovered 
and proved by Zhang in |17j and later, independently, by Cobeli and Zaharescu 
in [3]. Campbell and Pomerance made the value of "sufficiently large" 

small enough that they were able to use a direct search to affirmatively answer 
Brizolis' original question. As in 0, we will also consider a number of variations 
involving side conditions on g and h. 

The first author would like to thank the Rose-Hulman Institute of Technology for the special 
stipend which supported this project. 
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In 7j, the first author also investigated the two-cycles of log ff , that is the pairs 
(g, h) such that there is some a between 1 and p — 1 such that 

g h = a mod p and g a = h mod p. (2) 

As we observed, attacking @ directly requires the simultaneous solution of two 
modular equations, presenting both computational and theoretical difficulties. When- 
ever possible, therefore, we instead work with the modular equation 

h h = a a mod p. (3) 

Given g, h, and a as in J5J), then J2J is clearly satisfied and the common value 
is g ah modulo p. Conditions on g and h in J5J) can (sometimes) be translated 
into conditions on h and a in ©. On the other hand, given a pair (h,a) which 
satisfies (0, we can attempt to solve for g such that (g, h) satisfies © and translate 
conditions on (h,a) into conditions on (g,h). Again, we will investigate using 
various side conditions. 

Using the same notation as in jTJ , we will refer to an integer which is a primitive 
root modulo p as PR and an integer which is relatively prime to p — 1 as RP. An 
integer which is both will be referred to as RPPR and one which has no restrictions 
will be referred to as ANY. All integers will be taken to be between 1 and p — 1, 
inclusive, unless stated otherwise. If N(p) is, as above, the number of solutions 
to Q such that g is a primitive root and h is a primitive root which is relatively 
prime to p — 1, then we will say N(p) = -F s pr,^ rppr(p), and similarly for other 
conditions. Likewise the number of solutions to (J2J) will be denoted by T and the 
number of solutions to will be denoted by C. If ord p (g) = ord p (h), we say that 
gORDh. 

The idea of repeatedly applying the function x i— > g x mod p is used in the 
famous cryptographically secure pseudorandom bit generator of Blum and Micali. 
(PQ; see also and [H], among others, for further developments.) If one could 
predict that a pseudorandom generator was going to fall into a fixed point or cycle 
of small length, this would obviously be detrimental to cryptographic security. Our 
data suggests, however, that the chance that a pair (g, h) is a non-trivial two-cycle 
is 1/ {p— 1) for most of the conditions on choosing g and h that we have investigated. 
Likewise the chance that a pair (g, h) is a fixed point is generally l/(p — 1). This 
might perhaps be taken as an indication that the seed of one of these pseudorandom 
generators should be chosen to avoid redundant conditions which would increase 
the chances of a small cycle. 

This paper is meant to serve as a summary of the authors' recent work. For 
detailed proofs and explanation we refer the reader to our forthcoming paper ( .9;), 
in preparation. Numerical examples are provided here to illustrate the conjectures 
and results. 

2 Conjectures and Theorems for Fixed Points 

A list of conjectures and theorems on fixed points appeared in [7] and was cor- 
rected in the unpublished notes |8]. These conjectures and theorems are summa- 
rized in Table 0] which appeared in [H]. The table also contains new data collected 
since |7J. 

The first rigorous result on this subject was for F g pr ^ rppr(p). Both and 
provided bounds on the error involved; we will use notation closer to pj]. 
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Table 1 Solutions to Q 



(a) Predicted formulas for F(p) 



g\h 


ANY 


PR 


RP 


RPPR 


ANY 




~ *0-i) a 
~ (p-D 


=<A(p-i) 


~ 0(P-1)" 
~ (P-D 


PR 






~ ^(p-i) 2 


~ 0(P-1)" 


~ (p-1) 


~ (p-1) 


~ (P-D 


RP 


~0(p-i) 


~ (p-1) 2 


~ 

~ (p-1) 


~ 0(P-1) J 
~ (P-D 2 


RPPR 


~ <t>ip-^Y 






~ 0(P-1) J 


~ (p-d 




~ (p-i) 2 


~ (P-1) 2 


(b) Predicted values for F(100057) 


g\h 


ANY 


PR 


RP 


RPPR 


ANY 


100056 


9139.46 


30240 


9139.46 


PR 


30240 


9139.46 


9139.46 


9139.46 


RP 


30240 


2762.23 


9139.46 


2762.23 


RPPR 


9139.46 


2762.23 


2762.23 


2762.23 


(c) Observed values for F(100057) 


g\h 


ANY 


PR 


RP 


RPPR 


ANY 


98506 


9192 


30240 


9192 


PR 


29630 


9192 


9192 


9192 


RP 


29774 


2784 


9037 


2784 


RPPR 


9085 


2784 


2784 


2784 



Theorem 1 (Theorem 1 of 0) 

Hp - 1) 2 



Fg PR, h RPPR (p) 



P-1 



<d(p-l) 2 V^(l + lnp). 



We next turn our attention to fg any,/i any(p) j for which we can prove the 
following result: 

Theorem 2 

| i* 1 g ANY, h ANY (p) - (p - 1)| < d(p - l)cr(p - l)y^(l + lnp). 

Unfortunately, er(n) = O(nlnlnn) in the worst case and in any case <j{p — 1) > 
p — 1 + (p — l)/2 + 2+1 > 3p/2. Thus the error term overwhelms the main term. 
The problem occurs because we use the fact that can be solved exactly when 
gcd(/j,p — 1) = e and /i is a e-th power modulo p, and in fact there are exactly 
e such solutions. When h is RPPR then e is always 1 so counting the number of 
h is sufficient. When h is ANY, however, we need to count the number of h such 
that gcd(h,p — 1) = e and ft. is a e-th power modulo p and then multiply by e, 
and do this for each divisor e of p — 1. Thus an error of even 1 in calculating the 
number of h above for a large value of e will result in an error of 0(p — 1). (We can 
improve the situation somewhat by separating out the elements where e is p — 1 or 
(p — l)/2, but the results are still not what one would wish for. More details will 
appear in 0.) 

The case where g is PR and h is ANY is very similar to the previous case, and 
unfortunately has the same problem: 
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Theorem 3 

|F s PR, feA NY(p) - 4>(p ~ 1)| < d{p - l)V(p - l)y/p{\ + lap). 

Finally, we should mention that the second author (in JI]) pointed out that 
we could also estimate the number G g pr^ any(p) of values h such that there exists 
some g satisfying QJ, with g PR and h ANY: 

Theorem 4 



G 



9 PR.hANY 



(P)- 



1 



l i 

e|p— 1 



p-i 



<d(p-l) 3 ^(l + lnp). 



Similarly, we have: 
Theorem 5 



G g ANY, /i ANY (p) 



e|p — 1 



p-i 



<d(p-l) 2 Vp(l + lnp). 



Since we are no longer counting multiple solutions for each value of h the 
problem mentioned above disappears; the error terms are 0(p 1//2+<: ) while the main 
terms look on average like a constant times p. 

3 Conjectures for Two-Cycles 

Conjectures relating to equations J3J and J5J also appeared in and were 
corrected in the unpublished notes These are summarized in Tables [21 and |3 
which appeared in The table also contains new data collected since [7]. As 
in 0, we distinguish between the "trivial" solutions to 10, where h — a, and the 
"nontrivial" solutions. 

It was observed in [7] that when neither h nor a is RP the relationship be- 
tween @ and is more complicated than in the other cases. (Summaries of the 
conjectures in these cases are given in Tables [21 and [3] ) We were able, however, to 
make the following conjectures about solutions to (J3J. 

Conjecture 1 

(a) CfcANY.a ANY (p) » (p - 1) + Em|p-1 (£«fl(p-l)/ m ^T 2 ) ■ 

(b) Ifp-1 is squarefree then C h any, a any (p) ~ (p - 1) + 
where the product is taken over primes q dividing p — 1 . 

(c) In general, 

Ch ANY, a ANY (p) 

w (p - 1) + 

q t;~ , \ l \ yy j 



1-i 

1 




[q-lY 
+ (a 2 + 2a+ l)q a+1 



( 9 -l)3 

where the product is taken over primes q dividing p 
power of q dividing p — 1 . 



1 and a is the exact 
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(d) C/,pr )0 any(p) « 20(p— 1). 

(e) ChANY.aPR(p) ~ 2</>(p - 1). 

(f) C h PR , Q PR (p) « 0(p - 1) + <j>ip - l) 2 /(p - 1). 

(The formulas in ConjectureQlJ and Conjecture ^0) appear in [7] with typos. 
They appear correctly here and in [HI-) 

Table 2 Solutions to J3 



(a) Predicted formulas for the nontrivial part of C(p) 



a\h 


ANY 


PR 


RP 


RPPR 


ANY 






«<Mp-i) 


~ *(p-i) 3 
~ (p-iy 


PR 




~ (p-1) 


~ 0(p-i)" 


~ ^(p-i) a 
~ k-i^ 


RP 


~0(P-1) 


~ 

~ (P-1) 


~ Hp-'LT 
~ (p-i) 


~ ^(p-i) a 
~ (P-i) 2 


RPPR 


~ ^(P-1) J 


~ 0(P-1)" 


~ <Mp-i) j 


~ 0(p-i) J 




~ (P-D 2 


~ (P-D a 


~ (p-d* 


(b) Predicted values for the nontrivial part of C(100057) 


a\h 


ANY 


PR 


RP 


RPPR 


ANY 


190822.0 


30240 


30240 


2762.225 


PR 


30240 


9139.458 


9139.458 


2762.225 


RP 


30240 


9139.458 


9139.458 


2762.225 


RPPR 


2762.225 


2762.225 


2762.225 


2762.225 


(c) Observed values for the nontrivial part of C(100057) 


a\h 


ANY 


PR 


RP 


RPPR 


ANY 


190526 


30226 


30291 


2820 


PR 


30226 


9250 


9231 


2820 


RP 


30291 


9231 


9086 


2820 


RPPR 


2820 


2820 


2820 


2820 



As observed in [3| , conditions on (J2J can sometimes be translated into conditions 
on (pj) in a relatively straightforward manner. In other cases, however, things are 
more complicated. Let d — gcd(/i, a,p — 1), and let uq and vo be such that 

uoh + vqcl = d mod p — 1. 

Taking the logarithm of the two equations of (0) with respect to the same primitive 
root b and using Smith Normal Form, we can show that 10) is equivalent to the 
equations: 

h h/d = a a/d mQdp and g d = h v 0a u modp ( 4 ) 
In the case where d — gcd(/i, a,p — 1) = 1 then this becomes just 

h h = a a mod p and 5 ee /i^a" mod p. (5) 

Thus: 
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Proposition 1 Ifgcd(h, a,p— 1) = 1, then there is a one-to-one correspondence 
between triples {g,h,a) which satisfy (J3J) and pairs (h,a) which satisfy 0, and the 
value of g is unique given h and a. In particular, this is true if h is RP or a is RP. 

In it was claimed that given a pair (h, a) which is a solution to 10 we 
expect on the average gcd(a,p— l)gcd(/i,p — 1)/ gcd(ha,p — l) 2 pairs (g,h) which 
are solutions to (0). It is clear from Q), however, that the proper equation to look 
at in this case is not but 

h h/d = a a/d modp ( 6 ) 

Now we can approximate the number of nontrivial solutions of © using a 
similar birthday paradox argument to that used in 7 for Conjecture ^ The end 
result (see our forthcoming paper for details) is the following conjectures: 

Conjecture 2 

(a) T gPR j lANY (p) ps 2(f)(p - 1). 

(b) Tg ANY ,h ANY {p) ~ - 1). 

and: 

Conjecture 3 

(a) T gRPJl .(p) ps [cj)(jp- l)/(p- 1)} T g any M.(p)- 

(b) T gRPPR;h .(p) ps [<t>(p- l)/(p- l)]T ffPR)fc .(p). 

f where • stands for any one of the four conditions which we have used on h) 

The data from Tables ^ 121 and was collected on a Beowulf cluster 1 , with 
19 nodes, each consisting of 2 Pentium III processors running at 1 Ghz. The 
programming was done in C, using MPI, OpenMP, and OpenSSL libraries. The 
collection took 68 hours for all values of F(p), T(p), and C(j>), for five primes p 
starting at 100000. 

4 Averages of the Results and Conjectures 

Thus far we have considered variants of Brizolis conjecture for a fixed finite 
field with p elements. In this section we consider average versions of these results 
and conjectures. The conjectures predict a main term; the results give a main term 
and an error term. The following sequence of lemmas gives the behavior of the 
main terms, on average. 

The following result for fe = 1 is well-known, see e.g. ^3 El- For arbitrary 
fc it was claimed by Esseen 0] (but only proved for k = 3). A proof can be given 
based on an idea of Carl Pomerance ^Sj ■ (Proofs of all of the results in this section 
will appear in a forthcoming paper.) 

Lemma 1 Let k and C be arbitrary real numbers with C > 0. Then 
where 

Given this lemma it is trivial to establish: 



1 A type of high-speed parallel computing system built out of standard PC parts. 
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Table 3 Solutions to 



(a) Predicted formulas for the nontrivial part of T(p) 



g\h 


ANY 


PR 


RP 


RPPR 


ANY 




~ <f>(p-i)* 
~ (p-i) 




~ 0(p-i) a 
~ (p-D 2 


PR 




~ (p-D 


~ (p-1) 


~ 4>(p-ir 
~ (p-D 2 


RP 




~ </-(p-i) j 
~ cp-d" 


~ 0(P-1)" 
~ (p-D 


~ 0(p-i) 4 
~ (P-D a 


RPPR 


~ (P-D 


~ (p-i) 2 


~ 0(P-1) J 
~ (p-l)* 


~ 0(p-i) 4 



(b) Predicted values for the nontrivial part of T(100057) 



g\h 


ANY 


PR 


RP 


RPPR 


ANY 


100056 


9139.5 


30240 


2762.2 


PR 


30240 


9139.5 


9139.5 


2762.2 


RP 


30240 


2762.2 


9139.5 


834.8 


RPPR 


9139.5 


2762.2 


2762.2 


834.8 



(c) Observed values for the nontrivial part of T(100057) 



g\h 


ANY 


PR 


RP 


RPPR 


ANY 


100860 


9231 


30291 


2820 


PR 


30850 


9231 


9231 


2820 


RP 


30368 


2882 


9240 


916 


RPPR 


9376 


2882 


2882 


916 



Theorem 6 Let C > be arbitrary. We have 



E 



FgPR,hRPPR(p) . T ., , . n I X 

= A 2 Li(x) + O c [ ■ — q 



p-1 

Using similar lemmas, one can prove: 
Theorem 7 Let C > be arbitrary. We have 



whe 



and 



where 



E 



log X 



GgPRMANYjp) _ A C(3) T w , n 

P-1 C(2) Vlog c a: 



2p 



p 3 -l 



0.27327 30607 85299 15983 • ■ 



— = SLi(x) +O c [— c 



p-i- 1 



log X 



0.57595 99688 92945 43964 • • • 



is the Stephens constant (see |16j ). 
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Theorems |21 and 01 are unfortunately more problematic, due to the presence of 
the exceptionally large error term. The error term can probably be reduced to no 
larger order than the main term by separating out the most problematic cases and 
considering the sort of averaging we are doing in this section but the results are 
still conjectural at present, and the error term is still not satisfactory in any case. 

On the other hand, almost all of the conjectures on (JTJ, @, and J2J lend 
themselves easily to average versions of the sort treated above. These average 
versions are summarized in Tables 01 El and The data in these tables was 
collected on the same Beowulf cluster mentioned above, with similar software. The 
collection took 17 hours for all values of J2 P < X f^M E P <x f=i j and J2 P < X 
for x = 6143. 

The results of the preceding section unfortunately do not allow us to evaluate 
the average value of the right hand side of Conjecture Let us put 

2 



cf>(dm) \ 
' I ' dm J 



} (p) = y <x m ) 



m|p— 1 \ d\m J 

Numerically it seems that 

lim J-y ^4 = 1.644.-., 

x—>oc 7r(x) Z — ' p — 1 

p<x 

with rather fast convergence. We are thus tempted to propose the following con- 
jecture. 

Conjecture 4 Let C > be arbitrary. We have 



y ^any^any(p) = 2 644 . . . u(x) + Q( 



log X 



p<x 

Although we cannot prove this at present, we can establish the following result. 
Lemma 2 For every x sufficiently large we have 

1.444 < -L Y — < 3-422 
n(x) ^ — ' p — 1 

p<x 
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PR 
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g\h 


ANY 


PR 


RP 


RPPR 
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1 
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